<div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jan 6, 2014 at 6:26 PM, Georgy Okrokvertskhov <span dir="ltr"><<a href="mailto:gokrokvertskhov@mirantis.com" target="_blank">gokrokvertskhov@mirantis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Dough,<div><br></div><div>Thank you for pointing to this code. As I see you use OpenStack policy framework but not Pecan security features. How do you implement fine grain access control like user allowed to read only, writers and admins. Can you block part of API methods for specific user like access to create methods for specific user role?</div>
</div></blockquote><div><br></div><div><div class="gmail_default" style="font-size:small">The policy enforcement isn't simple on/off switching in ceilometer, so we're using the policy framework calls in a couple of places within our API code (look through v2.py for examples). As a result, we didn't need to build much on top of the existing policy module to interface with pecan. </div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">For your needs, it shouldn't be difficult to create a couple of decorators to combine with pecan's hook framework to enforce the policy, which might be less complex than trying to match the operating model of the policy system to pecan's security framework. </div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">This is the sort of thing that should probably go through Oslo and be shared, so please consider contributing to the incubator when you have something working.</div>
<div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Doug</div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div><br></div><div>Thanks</div><div>Georgy</div></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">On Mon, Jan 6, 2014 at 2:45 PM, Doug Hellmann <span dir="ltr"><<a href="mailto:doug.hellmann@dreamhost.com" target="_blank">doug.hellmann@dreamhost.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-size:small"><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">
<div><div>On Mon, Jan 6, 2014 at 2:56 PM, Georgy Okrokvertskhov <span dir="ltr"><<a href="mailto:gokrokvertskhov@mirantis.com" target="_blank">gokrokvertskhov@mirantis.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>Hi,</div><div><br></div><div>In Solum project we will need to implement security and ACL for Solum API. Currently we use Pecan framework for API. Pecan has its own security model based on SecureController class. At the same time OpenStack widely uses policy mechanism which uses json files to control access to specific API methods.</div>
<div><br></div><div>I wonder if someone has any experience with implementing security and ACL stuff with using Pecan framework. What is the right way to provide security for API?</div></div></blockquote><div><br></div></div>
</div><div>
<div style="font-size:small">In ceilometer we are using the keystone middleware and the policy framework to manage arguments that constrain the queries handled by the storage layer.</div><div style="font-size:small">
<br></div><div style="font-size:small"><a href="http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/acl.py" target="_blank">http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/acl.py</a></div>
<div style="font-size:small"><br></div><div style="font-size:small">and</div><div style="font-size:small"><br></div><div style="font-size:small">
<a href="http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/controllers/v2.py#n337" target="_blank">http://git.openstack.org/cgit/openstack/ceilometer/tree/ceilometer/api/controllers/v2.py#n337</a></div>
<div style="font-size:small">
<br></div><div style="font-size:small">Doug</div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div><br></div><div>Thanks</div><span><font color="#888888"><div>
Georgy</div>
</font></span></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br>Georgy Okrokvertskhov<br>
Technical Program Manager,<br>Cloud and Infrastructure Services,<br>
Mirantis<br>
<a href="http://www.mirantis.com/" target="_blank">http://www.mirantis.com</a><br>
Tel. <a href="tel:%2B1%20650%20963%209828" value="+16509639828" target="_blank">+1 650 963 9828</a><br>
Mob. <a href="tel:%2B1%20650%20996%203284" value="+16509963284" target="_blank">+1 650 996 3284</a><br>
</font></span></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>